Fincer
/
pam_usb
mirror of https://github.com/Fincer/pam_usb
1
0
Fork 0
Code Issues 0 Releases 4 Wiki Activity
Hardware authentication for Linux using ordinary USB Flash Drives.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
198 Commits
1 Branch
15 MiB
Tree: c0172862f6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c0172862f6'
${ noResults }
pam_usb/doc/QUICKSTART

238 lines
7.1 KiB
Raw Normal View History

Updated the documentation
17 years ago
Documentation update
13 years ago
Updated the documentation
17 years ago
Doc update
17 years ago
Documentation update
13 years ago
Doc update
17 years ago
Documentation update
13 years ago
Doc update
17 years ago
Updated the documentation
17 years ago
Documentation update
13 years ago
Updated the documentation
17 years ago
Documentation update
13 years ago
Updated the documentation
17 years ago
Documentation update
13 years ago
Updated the documentation
17 years ago
 
  1. ====== Quickstart ======
  2. 

  3. Before going ahead, make sure to follow the upgrading instructions if you're
  4. using a version of pam_usb prior to 0.4.0.
  5. 

  6. ===== Installing ====
  7. 

  8. 

  9. ==== Gentoo Linux ====
  10. 

  11. # emerge -av pam_usb
  12. 

  13. 

  14. ==== Ubuntu and Debian ====
  15. 

  16. # apt-get install libpam-usb pamusb-tools
  17. 

  18. 

  19. ==== Installing from sources ====
  20. * Step 1: Download the latest release
  21. * Step 2: Unpack the distribution tarball
  22. 

  23. $ tar -zxvf pam_usb-<version>.tar.gz
  24. $ cd pam_usb-<version>
  25. 

  26. * Step 3: Make sure that you have installed the required dependencies
  27. 

  28. pam_usb depends on libxml2, PAM, udisks and pmount. pam_usb's tools
  29. (pamusb-agent, pamusb-conf) depends on python, python-celementtree and
  30. python-gobject.
  31. 

  32. * Step 3: Compile and install
  33. 

  34. $ make
  35. # make install
  36. 

  37. ==== Installing from git ====
  38. 

  39. If you want to use the development version, you can fetch the sources from
  40. GitHub
  41. $ git clone git:github.com/aluzzardi/pam_usb.git
  42. 

  43. ===== Setting up =====
  44. 

  45. 

  46. 

  47. ==== Devices and Users ====
  48. 

  49. * Once you've connected your USB device to the computer, use pamusb-conf to add
  50. it to the configuration file:
  51. 

  52. # pamusb-conf --add-device MyDevice
  53. Please select the device you wish to add.
  54. * Using "SanDisk Corp. Cruzer Titanium (SNDKXXXXXXXXXXXXXXXX)" (only option)
  55. Which volume would you like to use for storing data ?
  56. * Using "/dev/sda1 (UUID: <6F6B-42FC>)" (only option)
  57. Name            : MyDevice
  58. Vendor          : SanDisk Corp.
  59. Model           : Cruzer Titanium
  60. Serial          : SNDKXXXXXXXXXXXXXXXX
  61. Volume UUID     : 6F6B-42FC (/dev/sda1)
  62. Save to /etc/pamusb.conf ?
  63. [Y/n] y
  64. Done.
  65. 

  66. Note that MyDevice can be any arbitrary name you'd like. Also, you can add as
  67. many devices as you want.
  68. 

  69. * Users
  70. 

  71. Now that we have added the devices, we have to configure the users.
  72. 

  73.   # pamusb-conf --add-user root      
  74.   Which device would you like to use for authentication ?
  75.   * Using "MyDevice" (only option)
  76.   User            : root
  77.   Device          : MyDevice
  78.   Save to /etc/pamusb.conf ?
  79.   [Y/n] y
  80.   Done.
  81. 

  82. Repeat this step for every other username you'd like to use pam_usb with (e.g.
  83. pamusb-conf --add-user MyUsername).
  84. 

  85. * In order to check if everything went fine, we are going to use the
  86. pamusb-check tool which will simulate an authentication event.
  87. 

  88. # pamusb-check root
  89. * Authentication request for user "root" (pamusb-check)
  90. * Device "MyDevice" is connected (good).
  91. * Performing one time pad verification...
  92. * Verification match, updating one time pads...
  93. * Access granted.
  94. 

  95. 

  96. 

  97. ==== PAM Module ====
  98. 

  99. The PAM module pam_usb.so is used to let applications authenticate you using
  100. your USB device instead of asking your password. The default password-based
  101. authentication will be used as fallback if the device authentication goes wrong.
  102. 

  103. * Depending on the operating system you're using, you have to tell PAM to use
  104. pam_usb.so as default authentication method.  There should be a file named
  105. either common-auth (Gentoo) under /etc/pam.d/. If you do NOT have neither of
  106. those files, you'll have to edit each pam.d service file you want to use (e.g.
  107. /etc/pam.d/su, /etc/pam.d/gdm and so on).
  108. 

  109. * Locate the following line on /etc/pam.d/common-auth or /etc/pam.d/system-auth:
  110. 

  111. auth    required        pam_unix.so nullok_secure
  112. 

  113. * And change it to look something like that:
  114. 

  115. auth    sufficient      pam_usb.so
  116. auth    required        pam_unix.so nullok_secure
  117. 

  118. * You should now be able to authenticate the users configured in pamusb.conf
  119. using your USB device:
  120. 

  121. scox $ su
  122. * pam_usb v.SVN
  123. * Authentication request for user "root" (su)
  124. * Device "MyDevice" is connected (good).
  125. * Performing one time pad verification...
  126. * Verification match, updating one time pads...
  127. * Access granted.
  128. 

  129. * Try to authenticate to a different application. pam_usb.so should work with
  130. any application using xscreensaver and many more).
  131. 

  132. 

  133. 

  134. 

  135. ==== Agent ====
  136. 

  137. The pam_usb agent (pamusb-agent) allows you to automatically execute commands
  138. upon locking and unlocking events. Those events are generated when you insert or
  139. remove your authentication device.
  140. To configure the commands, you have to edit pam_usb's configuration file
  141. (/etc/pamusb.conf) and add agent entries into your user section.
  142. 

  143. For instance, you could automatically start your screensaver as soon as you
  144. remove the device, and deactivate it when you plug the device back.
  145. 

  146. * GNOME (gnome-screensaver):
  147. <user id="scox">
  148.   <device>MyDevice</device>
  149.   <agent event="lock">gnome-screensaver-command --lock</agent>
  150.   <agent event="unlock">gnome-screensaver-command --deactivate</agent>
  151. </user>
  152. 

  153. * KDE (kscreensaver):
  154. <user id="scox">
  155.   <device>MyDevice</device>
  156.   <agent event="lock">dcop kdesktop KScreensaverIface lock</agent>
  157.   <agent event="unlock">dcop kdesktop KScreensaverIface quit</agent>
  158. </user>
  159. 

  160. You can execute more commands by adding extra <agent> entries.
  161. 

  162. 

  163. $ pamusb-agent
  164. pamusb-agent[18329]: pamusb-agent up and running.
  165. pamusb-agent[18329]: Watching device "MyDevice" for user "scox"
  166. pamusb-agent[18329]: Device "MyDevice" has been removed, locking down user
  167. "scox"...
  168. pamusb-agent[18329]: Running "gnome-screensaver-command --lock"
  169. pamusb-agent[18329]: Locked.
  170. pamusb-agent[18329]: Device "MyDevice" has been inserted. Performing
  171. verification...
  172. pamusb-agent[18329]: Executing "/usr/bin/pamusb-check --quiet
  173. --config=/etc/pamusb.conf --service=pamusb-agent scox"
  174. pamusb-agent[18329]: Authentication succeeded. Unlocking user "scox"...
  175. pamusb-agent[18329]: Running "gnome-screensaver-command --deactivate"
  176. pamusb-agent[18329]: Unlocked.
  177. 

  178. Depending on your desktop environment, you have to add pamusb-agent to the list
  179. of autostarted applications so it will be started automatically.
  180. 

  181. * GNOME:
  182.   - Open System -> Preferences -> Sessions
  183.   - Select Startup Programs and press Add
  184.   - Enter pamusb-agent and press OK
  185.   - Press Close
  186. 

  187. * KDE:
  188.   - cd ~/.kde/Autostart
  189.   - ln -s /usr/bin/pamusb-agent pamusb-agent
  190. 

  191. ===== Troubleshooting =====
  192. 

  193. 

  194. ==== Log Analysis ====
  195. 

  196. Both pam_usb.so and pamusb-agent use the syslog facility to log authentication
  197. attempts.
  198. This can be useful for GUI-driven applications (for instance GDM) where you
  199. don't get to see console output.
  200. Messages are logged with the AUTH facility, they are usually written to
  201. /var/log/auth.log but may vary
  202. depending on the operating system you're using.
  203. 

  204. # tail -f /var/log/auth.log
  205. pamusb-agent[25429]: Device "sandisk" has been inserted. Performing
  206. verification...
  207. pamusb-agent[25429]: Executing "/usr/bin/pamusb-check --quiet
  208. --config=/etc/pamusb.conf --service=pamusb-agent scox"
  209. pam_usb[25485]: Authentication request for user "scox" (pamusb-agent)
  210. pam_usb[25485]: Device "sandisk" is connected (good).
  211. pam_usb[25485]: Access granted.
  212. pamusb-agent[25429]: Authentication succeeded. Unlocking user "scox"...
  213. pamusb-agent[25429]: Unlocked.
  214. 

  215. 

  216. ==== Enabling debug ====
  217. 

  218. Enabling debug messages may help you find out what's wrong.
  219. 

  220. To enable them, edit /etc/pamusb.conf and set the following option:
  221. <defaults>
  222.   <option name="debug">true</option>
  223. </defaults>
  224. 

  225. If you wish, you could enable debug messages only for a specific user, device or
  226. service.
  227. For instance, if you want to enable debug messages only for the sudo service,
  228. you could do the following:
  229. 

  230. <services>
  231.   <service id="sudo">
  232.     <option name="debug">true</option>
  233.   </service>
  234. </services>
  235. 

  236. ===== It works - What next ? =====
  237. 

  238. * Have a look at the configuration documentation